tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Using RemoteAddressValve with an Apache mod_proxy_balancer
Date Thu, 17 Dec 2009 09:02:13 GMT
Martin B. Smith wrote:
> On 12/16/2009 11:01 PM, Bill Barker wrote:
>> "André Warnier" <aw@ice-sa.com> wrote in message 
>> news:4B294EB6.4090109@ice-sa.com...
>>> Martin B. Smith wrote:
>>>> Howdy!
>>>>
>>>> I'm trying to ensure that only specific instances of Apache are allowed 
>>>> to proxy requests into my Tomcat 5.5.28 instances. 
...
>> Yes, but if the OP wants to block all access to Tomcat, it is even easier to 
>> just not have the worker configured on those Apaches that shouldn't contact 
>> it.

That assumes that the OP has access to the Apache webservers he wants to 
block.  And it does not block an Apache webserver, controlled by someone 
else, to insert the proxying statements to use the Tomcat.

That's why I was thinking of the "secret". This way, only the webservers 
to which Bill gives the secret would be able to connect.

   As a result, I'm guessing that the OP wants to restrict access to
>> certain webapps.
>>
>> The good news is that with the AJP connector, request.getLocalName() returns 
>> the name of the Apache server (as specified by the ServerName directive), 
>> not the Tomcat server.  And request.getLocalAddr() returns the IP address of 
>> request.getLocalName() as it resolves on the Tomcat machine.  With that 
>> information it isn't hard to write a Filter that does what you want.  For 
>> the truely lazy, it would also be trivial to copy RemoteAddrValve to 
>> LocalAddrValve and have it check localAddr instead of remoteAddr. 
>>
Right. But this makes another couple of assumptions : 1) that the OP is 
a Java programmer and 2) that he can insert a filter or a Valve into 
Tomcat (as opposed to just being someone who can change some 
configuration elements).
...
> 
> André, thank you for the suggestions. I had considered them, but wanted
> some additional, more specific protections without going to mod_jk.

In the meantime, I checked on the Apache forum.
Unfortunately, as it stands now, some AJP parameters can be set in 
Apache via the "key=value" elements of ProxyPass and ProxySet, but 
unfortunately it seems that "secret" is not amongst them.

> 
> Bill, your post is a gem. Indeed, I can always use network ACLs and
> iptables and mod_jk, but I was really hoping to do mod_proxy_balancer.
> While there's some administrative separations between the programmers
> and the system administrators that prevent me from writing servlets on
> top of Tomcat, this is a nice tip.
> 
All in all, I personally like Bill's "lazy" suggestion the best : create 
another Address Valve that checks the local instead of the client address.
I would even think that the most elegant solution, since Valves are 
something specific to Tomcat anyway, would be to enhance the existing 
Valve with an additional attribute, telling it to either use the client 
address (the default), or the local address (by adding a new attribute).
Any interest anyone ?

(If anyone points me to where the code of the RemoteAddrValve can be 
found, I'd like to have a look. But I really don't even know where to 
begin with submitting patches and stuff.  I'm only good at talking..).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message